bool FindEncrypted()
{
var ep = module.EntryPoint;
if (ep == null || ep.Body == null)
{
return(false);
}
if (!DotNetUtils.IsMethod(ep, "System.Void", "(System.String[])"))
{
return(false);
}
var initMethod = CheckCalledMethods(ep);
if (initMethod == null || !new LocalTypes(initMethod).All(encryptedRequiredLocals))
{
return(false);
}
var resource = GetResource();
if (resource == null)
{
return(false);
}
assemblyEncryptedResource = resource;
return(true);
}
bool CheckInitMethod(MethodDef method)
{
if (method == null || !method.IsStatic || method.Body == null)
{
return(false);
}
if (!DotNetUtils.IsMethod(method, "System.Void", "()"))
{
return(false);
}
var type = method.DeclaringType;
if (type.NestedTypes.Count != 1)
{
return(false);
}
if (DotNetUtils.GetField(type, "System.Reflection.Assembly") == null)
{
return(false);
}
var resolveHandler = DeobUtils.GetResolveMethod(method);
if (resolveHandler == null)
{
return(false);
}
initMethod = method;
resolverType = type;
handlerMethod = resolveHandler;
return(true);
}
void Find(TypeDef type, ICflowDeobfuscator cflowDeobfuscator)
{
var additionalTypes = new List <string> {
"System.IO.BinaryReader",
"System.IO.FileStream",
"System.Reflection.Assembly",
"System.Reflection.Assembly[]",
"System.String",
};
foreach (var method in type.Methods)
{
if (!DotNetUtils.IsMethod(method, "System.Reflection.Assembly", "(System.Object,System.ResolveEventArgs)"))
{
continue;
}
if (!DecryptMethod.CouldBeDecryptMethod(method, additionalTypes))
{
continue;
}
cflowDeobfuscator.Deobfuscate(method);
if (!decryptMethod.GetKey(method))
{
continue;
}
return;
}
}
bool CheckCalledMethods(MethodDef checkMethod)
{
if (checkMethod == null || checkMethod.Body == null)
{
return(false);
}
foreach (var method in DotNetUtils.GetCalledMethods(module, checkMethod))
{
if (method.Name == ".cctor" || method.Name == ".ctor")
{
continue;
}
if (!method.IsStatic || !DotNetUtils.IsMethod(method, "System.Void", "()"))
{
continue;
}
if (CheckResolverInitMethod(method))
{
return(true);
}
}
return(false);
}
MethodDef FindInt64Method()
{
if (type == null)
{
return(null);
}
foreach (var method in type.Methods)
{
if (!method.IsStatic || method.Body == null || method.HasGenericParameters)
{
continue;
}
if (!DotNetUtils.IsMethod(method, "System.Int64", "()"))
{
continue;
}
if (!FindInt64(method))
{
continue;
}
return(method);
}
return(null);
}
static bool FindMod(MethodDef method, out ulong mod)
{
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count - 1; i++)
{
var ldci8 = instrs[i];
if (ldci8.OpCode.Code != Code.Ldc_I8)
{
continue;
}
var call = instrs[i + 1];
if (call.OpCode.Code != Code.Call)
{
continue;
}
var calledMethod = call.Operand as IMethod;
if (calledMethod == null)
{
continue;
}
if (!DotNetUtils.IsMethod(calledMethod, "System.UInt64", "(System.UInt64,System.UInt64,System.UInt64)"))
{
continue;
}
mod = (ulong)(long)ldci8.Operand;
return(true);
}
mod = 0;
return(false);
}
static MethodDef GetTheOnlyMethod(TypeDef type, string returnType, string parameters)
{
MethodDef foundMethod = null;
foreach (var method in type.Methods)
{
if (!method.IsStatic || method.Body == null || method.HasGenericParameters)
{
continue;
}
if (method.IsPrivate)
{
continue;
}
if (!DotNetUtils.IsMethod(method, returnType, parameters))
{
continue;
}
if (foundMethod != null)
{
return(null);
}
foundMethod = method;
}
return(foundMethod);
}
public static MethodDef FindDecrypterMethod(MethodDef method)
{
if (method == null || method.Body == null)
{
return(null);
}
foreach (var instr in method.Body.Instructions)
{
if (instr.OpCode.Code != Code.Call)
{
continue;
}
var calledMethod = instr.Operand as MethodDef;
if (calledMethod == null || !calledMethod.IsStatic || calledMethod.Body == null)
{
continue;
}
if (!DotNetUtils.IsMethod(calledMethod, "System.IO.MemoryStream", "(System.IO.Stream)"))
{
continue;
}
return(calledMethod);
}
return(null);
}
void FindEncryptedResourceSet()
{
foreach (var type in module.Types)
{
if (type.Namespace != "")
{
continue;
}
if (type.BaseType == null || type.BaseType.FullName != "System.Resources.ResourceSet")
{
continue;
}
var ctor = type.FindMethod(".ctor");
if (!DotNetUtils.IsMethod(ctor, "System.Void", "(System.Resources.IResourceReader)"))
{
continue;
}
var method = type.FindMethod("GetDefaultReader");
if (!DotNetUtils.IsMethod(method, "System.Type", "()"))
{
continue;
}
if (method.Body == null || method.IsStatic || !method.IsVirtual)
{
continue;
}
encryptedResourceSet_GetDefaultReader = method;
encryptedResourceSetType = type;
return;
}
}
bool Find(MethodDef methodToCheck) {
if (methodToCheck == null)
return false;
foreach (var method in DotNetUtils.GetCalledMethods(module, methodToCheck)) {
var type = method.DeclaringType;
if (!method.IsStatic || !DotNetUtils.IsMethod(method, "System.Void", "()"))
continue;
if (DotNetUtils.GetPInvokeMethod(type, "kernel32", "LoadLibrary") == null)
continue;
if (DotNetUtils.GetPInvokeMethod(type, "kernel32", "GetProcAddress") == null)
continue;
Deobfuscate(method);
if (!ContainsString(method, "debugger is activ") &&
!ContainsString(method, "debugger is running") &&
!ContainsString(method, "Debugger detected") &&
!ContainsString(method, "Debugger was detected") &&
!ContainsString(method, "{0} was detected") &&
!ContainsString(method, "run under") &&
!ContainsString(method, "run with") &&
!ContainsString(method, "started under") &&
!ContainsString(method, "{0} detected") &&
!ContainsString(method, "{0} found"))
continue;
antiDebuggerType = type;
antiDebuggerMethod = method;
return true;
}
return false;
}
string GetMainResourceKey(MethodDef method, out MethodDef decryptAssemblyMethod)
{
foreach (var calledMethod in DotNetUtils.GetCalledMethods(module, method))
{
if (!calledMethod.IsStatic || calledMethod.Body == null)
{
continue;
}
if (!DotNetUtils.IsMethod(calledMethod, "System.Void", "(System.String[])"))
{
continue;
}
DeobfuscateAll(calledMethod);
string keyInfo = GetMainResourceKeyInfo(calledMethod, out decryptAssemblyMethod);
if (keyInfo == null)
{
continue;
}
return(BitConverter.ToString(new MD5CryptoServiceProvider().ComputeHash(new ASCIIEncoding().GetBytes(keyInfo))).Replace("-", ""));
}
decryptAssemblyMethod = null;
return(null);
}
bool CheckCctor(MethodDef cctor)
{
var ldtokenType = GetLdtokenType(cctor);
if (!new SigComparer().Equals(ldtokenType, cctor.DeclaringType))
{
return(false);
}
MethodDef initMethod = null;
foreach (var method in DotNetUtils.GetCalledMethods(module, cctor))
{
if (DotNetUtils.IsMethod(method, "System.Void", "(System.Type)"))
{
initMethod = method;
break;
}
}
if (initMethod == null || initMethod.Body == null)
{
return(false);
}
return(true);
}
protected static MethodDef FindDecrypterMethod(TypeDef type)
{
MethodDef cctor = null, decrypterMethod = null;
foreach (var method in type.Methods)
{
if (!method.IsStatic || method.Body == null)
{
return(null);
}
if (method.Name == ".cctor")
{
cctor = method;
}
else if (DotNetUtils.IsMethod(method, "System.String", "(System.Int32)"))
{
decrypterMethod = method;
}
else
{
return(null);
}
}
if (cctor == null || decrypterMethod == null)
{
return(null);
}
return(decrypterMethod);
}
EmbeddedResource FindGetManifestResourceStreamTypeResource(TypeDef type, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
foreach (var method in type.Methods)
{
if (!method.IsPrivate || !method.IsStatic || method.Body == null)
{
continue;
}
if (!DotNetUtils.IsMethod(method, "System.String", "(System.Reflection.Assembly,System.Type,System.String)"))
{
continue;
}
simpleDeobfuscator.Deobfuscate(method);
simpleDeobfuscator.DecryptStrings(method, deob);
foreach (var s in DotNetUtils.GetCodeStrings(method))
{
var resource = DotNetUtils.GetResource(module, s) as EmbeddedResource;
if (resource != null)
{
return(resource);
}
}
}
return(null);
}
void Find(TypeDef type, ICflowDeobfuscator cflowDeobfuscator)
{
var additionalTypes = new List <string> {
"System.IO.BinaryWriter",
};
foreach (var method in type.Methods)
{
if (!DotNetUtils.IsMethod(method, "System.Void", "(System.Int32[],System.UInt32[])"))
{
continue;
}
if (!DecryptMethod.CouldBeDecryptMethod(method, additionalTypes))
{
continue;
}
cflowDeobfuscator.Deobfuscate(method);
if (!decryptMethod.GetKey(method))
{
continue;
}
FindPatchData(type, cflowDeobfuscator);
return;
}
}
static MethodDef FindXxteaMethod(TypeDef type)
{
foreach (var method in type.Methods)
{
if (!method.IsPrivate || method.IsStatic || method.Body == null)
{
continue;
}
if (DotNetUtils.IsMethod(method, "System.Void", "(System.UInt32[],System.UInt32[])"))
{
if (!DeobUtils.HasInteger(method, 0x9E3779B9))
{
continue;
}
}
else if (DotNetUtils.IsMethod(method, "System.Void", "(System.UInt32[],System.UInt32[],System.UInt32,System.UInt32,System.UInt32,System.UInt32,System.UInt32,System.UInt32,System.UInt32,System.UInt32,System.UInt32)"))
{
// Here if 5.0. 0x9E3779B9 is passed to it as the last arg.
}
else
{
continue;
}
if (!DeobUtils.HasInteger(method, 52))
{
continue;
}
return(method);
}
return(null);
}
void FindPatchData(TypeDef type, ICflowDeobfuscator cflowDeobfuscator)
{
var locals = new List <string> {
"System.Int32[]",
"System.UInt32[]",
};
foreach (var method in type.Methods)
{
if (method.Attributes != MethodAttributes.Private)
{
continue;
}
if (!DotNetUtils.IsMethod(method, "System.Void", "()"))
{
continue;
}
if (!new LocalTypes(method).Exactly(locals))
{
continue;
}
cflowDeobfuscator.Deobfuscate(method);
var patchInfo = GetPatchInfo(method);
if (patchInfo == null)
{
continue;
}
patchInfos.Add(patchInfo);
}
}
public void Find()
{
var additionalTypes = new string[] {
"System.Boolean",
};
foreach (var type in module.Types)
{
if (type.BaseType == null || type.BaseType.FullName != "System.Object")
{
continue;
}
foreach (var method in type.Methods)
{
if (!method.IsStatic || !method.HasBody)
{
continue;
}
if (!DotNetUtils.IsMethod(method, "System.Boolean", "(System.Int32)"))
{
continue;
}
if (!encryptedResource.CouldBeResourceDecrypter(method, additionalTypes))
{
continue;
}
encryptedResource.Method = method;
return;
}
}
}
static bool CheckDecrypterMethod(MethodDef method)
{
if (method == null || !method.IsStatic || method.Body == null)
{
return(false);
}
if (!DotNetUtils.IsMethod(method, "System.String", "(System.Int32)"))
{
return(false);
}
if (!new LocalTypes(method).All(requiredLocalTypes))
{
return(false);
}
foreach (var instr in method.Body.Instructions)
{
if (instr.OpCode != OpCodes.Callvirt)
{
continue;
}
var calledMethod = instr.Operand as IMethod;
if (calledMethod != null && calledMethod.FullName == "System.IO.Stream System.Reflection.Assembly::GetManifestResourceStream(System.String)")
{
return(true);
}
}
return(false);
}
static MethodDef FindDecryptMethod(TypeDef type)
{
if (type == null)
{
return(null);
}
foreach (var method in type.Methods)
{
if (method.Body == null || !method.IsStatic || method.IsPrivate)
{
continue;
}
if (!DotNetUtils.IsMethod(method, "System.String", "(System.UInt32)"))
{
continue;
}
if (!DotNetUtils.CallsMethod(method, "System.String System.Runtime.InteropServices.Marshal::PtrToStringAnsi(System.IntPtr)"))
{
continue;
}
return(method);
}
return(null);
}
static FieldDef FindDelegateField(TypeDef mainType, string returnType, string parameters)
{
foreach (var field in mainType.Fields)
{
var fieldSig = field.FieldSig;
if (fieldSig == null)
{
continue;
}
var fieldType = fieldSig.Type.ToTypeDefOrRef() as TypeDef;
if (fieldType == null)
{
continue;
}
if (fieldType.BaseType != null && fieldType.BaseType.FullName != "System.MulticastDelegate")
{
continue;
}
var invokeMethod = fieldType.FindMethod("Invoke");
if (!DotNetUtils.IsMethod(invokeMethod, returnType, parameters))
{
continue;
}
return(field);
}
return(null);
}
static MethodDef CheckMethodsV30(TypeDef type)
{
if (type.Methods.Count < 1 || type.Methods.Count > 2)
{
return(null);
}
MethodDef decrypterMethod = null;
MethodDef cctor = null;
foreach (var method in type.Methods)
{
if (method.Name == ".cctor")
{
cctor = method;
continue;
}
if (decrypterMethod != null)
{
return(null);
}
if (!DotNetUtils.IsMethod(method, "System.String", "(System.Int32,System.Int32,System.Int32)"))
{
return(null);
}
decrypterMethod = method;
}
if (decrypterMethod == null || !decrypterMethod.IsStatic)
{
return(null);
}
return(decrypterMethod);
}
List <MethodDef> FindEfConstMethodCalls(MethodDef method)
{
if (method == null)
{
return(null);
}
var list = new List <MethodDef>();
foreach (var instr in method.Body.Instructions)
{
if (instr.OpCode.Code != Code.Call)
{
continue;
}
var calledMethod = instr.Operand as MethodDef;
if (calledMethod == null || !calledMethod.IsStatic || calledMethod.Body == null)
{
continue;
}
if (!DotNetUtils.IsMethod(calledMethod, "System.Int32", "()"))
{
continue;
}
if (type.NestedTypes.IndexOf(calledMethod.DeclaringType) < 0)
{
continue;
}
list.Add(calledMethod);
}
return(list);
}
public void Find()
{
var cctor = DotNetUtils.GetModuleTypeCctor(module);
if (cctor == null)
{
return;
}
foreach (var method in DotNetUtils.GetCalledMethods(module, cctor))
{
if (method.Name == ".cctor" || method.Name == ".ctor")
{
continue;
}
if (!method.IsStatic || !DotNetUtils.IsMethod(method, "System.Void", "()"))
{
continue;
}
if (CheckType(method))
{
break;
}
}
}
bool InitializeInfos(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
if (handlerMethod == null)
{
return(true);
}
foreach (var method in resolverType.Methods)
{
if (!method.IsStatic || method.Body == null)
{
continue;
}
if (!DotNetUtils.IsMethod(method, "System.Void", "()"))
{
continue;
}
if (!DeobUtils.HasInteger(method, ':') || !DeobUtils.HasInteger(method, '|'))
{
continue;
}
simpleDeobfuscator.Deobfuscate(method);
simpleDeobfuscator.DecryptStrings(method, deob);
if (!InitializeInfos(method))
{
continue;
}
return(true);
}
return(false);
}
public void Find()
{
foreach (var calledMethod in DotNetUtils.GetCalledMethods(module, DotNetUtils.GetModuleTypeCctor(module)))
{
if (!DotNetUtils.IsMethod(calledMethod, "System.Void", "()"))
{
continue;
}
if (calledMethod.DeclaringType.FullName != "<PrivateImplementationDetails>{F1C5056B-0AFC-4423-9B83-D13A26B48869}")
{
continue;
}
nativeLibCallerType = calledMethod.DeclaringType;
initMethod = calledMethod;
foreach (var s in DotNetUtils.GetCodeStrings(initMethod))
{
nativeFileResource = DotNetUtils.GetResource(module, s);
if (nativeFileResource != null)
{
break;
}
}
return;
}
}
void FindOverrideMethods()
{
foreach (var method in type.Methods)
{
if (!method.IsVirtual)
{
continue;
}
if (DotNetUtils.IsMethod(method, "System.Void", "(System.IO.BinaryReader)"))
{
if (readMethod != null)
{
throw new ApplicationException("Found another read method");
}
readMethod = method;
}
else if (!DotNetUtils.HasReturnValue(method) && method.MethodSig.GetParamCount() == 1)
{
if (executeMethod != null)
{
throw new ApplicationException("Found another execute method");
}
executeMethod = method;
}
}
if (readMethod == null)
{
throw new ApplicationException("Could not find read method");
}
if (executeMethod == null)
{
throw new ApplicationException("Could not find execute method");
}
}
MethodDef GetAntiTamperingDetectionMethod(TypeDef type)
{
var requiredLocals = new string[] {
"System.Reflection.Assembly",
"System.Collections.Generic.Stack`1<System.Int32>",
};
foreach (var method in type.Methods)
{
if (!method.IsStatic || method.Body == null)
{
continue;
}
if (!DotNetUtils.IsMethod(method, "System.Void", "(System.Type)"))
{
continue;
}
if (!new LocalTypes(method).All(requiredLocals))
{
continue;
}
if (!HasThrow(method))
{
continue;
}
return(method);
}
return(null);
}
static bool CheckLzmaMethods(TypeDef type)
{
int methods = 0;
foreach (var m in type.Methods)
{
if (m.IsStaticConstructor)
{
continue;
}
if (m.IsInstanceConstructor)
{
if (m.MethodSig.GetParamCount() != 0)
{
return(false);
}
continue;
}
if (!DotNetUtils.IsMethod(m, "System.UInt32", "(System.UInt32)"))
{
return(false);
}
methods++;
}
return(methods == 1);
}
bool CheckCctor(MethodDef cctor)
{
foreach (var method in DotNetUtils.GetCalledMethods(module, cctor))
{
if (method.Name != "Startup")
{
continue;
}
if (!DotNetUtils.IsMethod(method, "System.Void", "()"))
{
continue;
}
bool isOldTmp;
if (!CheckType(method.DeclaringType, out runtimeModule1, out runtimeModule2, out isOldTmp))
{
continue;
}
mcType = method.DeclaringType;
isOld = isOldTmp;
return(true);
}
return(false);
}